Tuesday, December 10, 2013

TOPEKA, KAN. — State agencies need to do a better job protecting sensitive information stored on their computer systems, a new audit said.

The information technology audit found "chronic weaknesses" in several security controls, including weak passwords and software vulnerabilities. That has left several state agencies vulnerable to hackers gaining access to confidential data or breaches from within.

"After three years of auditing this area, we have seen little improvement across agencies," said Justin Stowe with the Legislative Post Audit Division.

The audit evaluated eight agencies: the Department of Administration, Department for Aging and Disability Services, Department for Children and Families, the Department of Health and Environment, Kansas Attorney General, Kansas Bureau of Investigation, Kansas Highway Patrol and Kansas Public Employees Retirement System.

The audit said confidential information that could be housed in these agencies includes Social Security numbers, tax return information and other personally identifiable information.

Of those agencies, only KPERS had an adequate outcome in all three tests of the security management process, which is where risks and controls are regularly tested and monitored, the audit said.

Specific weaknesses in each of the agencies weren't detailed in the public audit for fear of causing further security problems, Stowe said.

Auditors, officials from the various agencies and members of the Joint Committee on Information Technology met behind closed doors to discuss the report.

The audit said that five agencies had from 10 percent to 26 percent of staff using weak passwords. Some passwords identified were Password1234, Summer53, Marine62 and Potato#2.

Fifty percent of staff didn't know what made a strong password; 25 percent didn't know that they shouldn't share their password with anyone; and 23 percent didn't understand that viruses could be transferred to their work station from a portable device such as their smart phone, the audit said.

One agency did not have anti-virus software installed on eight computers; three agencies didn't have an adequate process to manage all mobile devices; and only one agency had an adequate process to continue operations in the event of an emergency, the audit said.